CVE-2025-46543

Vulnerability

Description The Enhanced Paypal Shortcodes plugin for WordPress fails to properly neutralize user input when generating web pages, resulting in a stored cross-site scripting (XSS) vulnerability [1]. This issue affects all versions from n/a through 0.5a. An attacker with contributor-level or higher privileges can inject arbitrary JavaScript code through crafted shortcodes, which is then stored and executed whenever a visitor loads the affected page [1].

Exploitation

The attack requires no user interaction beyond the initial injection by an authenticated user. Once a malicious shortcode is saved, the payload automatically triggers in the browser of any user viewing the page that renders it [1]. The vulnerability is particularly dangerous because it can be leveraged in mass-exploit campaigns targeting thousands of WordPress sites simultaneously, as noted in the advisory [1].

Impact

Successful exploitation allows an attacker to steal cookies, hijack sessions, deface websites, redirect visitors to malicious domains, or inject advertisements and other HTML payloads [1]. Given the potential for automated attacks, this vulnerability poses a significant risk to site integrity and visitor safety.

Mitigation

As of publication, no patched version is available; users should update the plugin if a fix is released, or otherwise remove it from their WordPress installation [1]. Immediate action is advised, and those unable to update should consult their hosting provider or apply a Web Application Firewall rule to mitigate exploitation [1].